Encrypted Memory Access Using Page Table Attributes

1. A memory system comprising: memory elements organized into memory regions; a memory controller at a memory interface, the memory controller comprising: an encryptor to control a plurality of memory access keys respectively associated with the memory regions, wherein each memory region is allocated to a respective client, and wherein the memory access keys are stored in page table attributes of a page table; an access manager configured to: receive an access request from a client, wherein the access request includes a client access key to access a memory element corresponding to a virtual address, determine, in the page table, a physical address corresponding to the virtual address, look up, from a page table attribute associated with the physical address a memory access key associated with the physical address, compare the client access key with the memory access key associated with the memory region that includes the memory element, and provide a response to the access request based on the comparison and a mode of operation, wherein the access manager is further configured to determine that the access request is not valid by identifying a page table miss in the page table; and wherein the client access key comprises: at least one of a process identifier, a thread identifier and an application identifier; and a cyclically changing context definition indicating said at least one of the process identifier, the thread identifier and the application identifier is currently associated with a current status of the memory system.

2. The memory system of claim 1 , wherein the mode of operation is isolation only, and wherein the access manager is to determine one of: the access request is valid, and the encryptor is to provide unencrypted data to the client, and the access request is not valid, and the encryptor is to provide scrambled data to the client.

3. The memory system of claim 1 , wherein the mode of operation is encryption and error correction only, and wherein the encryptor is to perform encryption and error correction functions, and wherein, upon a determination that the access request is not valid, the access manager is to generate an alert that a fatal uncorrectable memory error has occurred.

4. The memory system of claim 1 , wherein the mode of operation is isolation, encryption and error correction, and wherein the access manager is to determine one of: the access request is valid, and the encryptor is to provide unencrypted data to the client, and the access request is not valid, and the encryptor is to provide scrambled data to the client, and wherein the access manager is to generate an alert that a fatal uncorrectable memory error has occurred.

5. The memory system of claim 1 , wherein the client is one of a user, an application, a process, a driver, and a multiprocessor with virtualized clients.

6. The memory system of claim 5 , wherein the client access key is unique to each client of the plurality of clients.

7. The memory system of claim 1 , wherein the client access key includes one of a process identifier, a thread identifier, an application identifier, and a context definition.

8. The memory system of claim 1 , wherein the memory regions comprise non-volatile shared memory.

9. The memory system of claim 1 , wherein the access manager is to determine that the memory element is accessible to a new client, and wherein the encryptor is to update the memory access key to conform to a new client access key associated with the new client.

10. A method comprising: controlling, via a memory controller at a memory interface, a plurality of memory access keys respectively associated with memory regions of the memory system, wherein each memory region is allocated to a respective client, and wherein the memory access keys are stored in page table attributes of a page table; receiving, via the memory controller, an access request from a client, wherein the access request includes a client access key to access a memory element corresponding to a virtual address; determining, in the page table, a physical address corresponding to the virtual address; looking up, via the memory controller, from a page table attribute associated with the physical address, a memory access key associated with the physical address; comparing the client access key with the memory access key associated with the memory region that includes the memory dement; determining that the access request is not valid by identifying a page table miss in the page table; providing, via the memory controller, a response to the access request based on the comparison and a mode of operation; and determining that the memory element is accessible to a new client; and updating the memory access key to conform to a new client access key associated with the new client, wherein the memory controller comprises an encryptor to control a plurality of memory access keys respectively associated with the memory regions; and wherein the client access key comprises: at least one of a process identifier, a thread identifier and an application identifier; and a cyclically changing context definition indicating said at least one of the process identifier, the thread identifier and the application identifier is currently associated with a current status of the memory system.

11. The method of claim 10 , wherein the mode of operation is isolation only, and further comprising: providing unencrypted data to the client upon a determination that the access request is valid, and providing scrambled data to the client upon a determination that the access request is not valid.

12. The method of claim 10 , wherein the mode of operation is encryption and error correction only, and further comprising: performing encryption and error correction functions, and upon a determination that the access request is not valid, generating an alert that a fatal uncorrectable memory error has occurred.

13. The method of claim 10 , further comprising: identifying an unauthorized access request from a client; and restricting access to the memory region associated with the unauthorized access request.

14. The method of claim 10 , wherein the client access key is unique to each client of a plurality of clients.

15. A programmable memory controller comprising: a non-transitory computer readable medium that stores configuration data for logic to enable the memory controller to: control a plurality of memory access keys respectively associated with memory regions of the memory system, wherein each memory region is allocated to a respective client, and wherein the memory access keys are stored in page table attributes of a page table; receive an access request from a client, wherein the access request includes a client access key to access a memory element corresponding to a virtual address; determine, in the page table, a physical address corresponding to the virtual address; look up, from a page table attribute associated with the physical address, a memory access key associated with the physical address; compare the Ghent access key with the memory access key associated with the memory region that includes the memory element; and provide a response to the access request based on the comparison and a mode of operation, wherein the mode of operation is one of isolation only, encryption and error correction only, or a combination of isolation, encryption and error correction, wherein the non-transitory computer readable medium stores configuration data for logic to: identify a page table miss in the page table; determine that the access request is not valid based on the identified page table miss, and wherein the memory controller comprises an encryptor to control a plurality of memory access keys respectively associated with the memory regions; and wherein the client access key comprises: at least one of a process identifier, a thread identifier and an application identifier; and a cyclically changing context definition indicating said at least one of the process identifier, the thread identifier and the application identifier is currently associated with a current status of the memory system.

16. The memory controller of claim 15 , wherein the client is an application, and wherein the computer readable medium stores configuration data for logic to: identify an unauthorized access request from the application; and generate an interrupt to an operating system to terminate the application.

17. The memory controller of claim 15 , wherein the computer readable medium stores configuration data for the logic to further: determine that the memory element is accessible to a new client; and update the memory access key to conform to a new client access key associated with the new client, wherein the new client access key is to be subsequently transmitted as part of a subsequent access request and is to be compared to the updated memory access key to determine validity of the subsequent access request.

18. The memory controller of claim 15 , wherein the client access key comprises a process identifier, a thread identifier, an application identifier and a context definition.